News items for tag linux - Koos van den Hout

2020-08-31 Adding static IPv4 routes for devices that still need those 3 weeks ago
I decided to have a look whether I can set up the static routes like those needed to get ads-b data out to plane finder via the dhcp server. This works a lot better than having to set those routes by hand after a reboot.

This can be done with the rfc3442 classless static routes extension in DHCP, which isn't supported out of the box by isc dhcpd. But there is support in the dhclient configuration on raspbian, so I only had to add the server side.

All the samples I could find for adding this to the server side added arrays of bytes which is harder to read/comprehend. I had a look at the dhcp-options manpage which showed the option to add a structured record with IPv4 addresses.

Main configuration adding the option:
option rfc3442-classless-static-routes code 121 = array of { integer 8, ip-address, ip-address };
# netmask bit count, destination, via
Specific host configuration using the option with the current address for pfclient-upload.planefinder.net. Which may change!
        host joy {
            hardware ethernet b8:27:eb:ae:ad:47;
            option rfc3442-classless-static-routes 32 80.84.58.2 10.42.2.1;
        }
This pushes route to 80.84.58.2/32 via 10.42.2.1.

Hosts that get this option via dhcp should ignore the default router option so if you need that too you will need to add a route for 0.0.0.0/0. In my specific usecase I don't want to set a default IPv4 route.

Tags: , , ,
2020-07-30 Backup to a remote webdav server using rclone 1 month ago
After the earlier issues with backing up to a remote webdav server I let the problem rest but made sure my backups were in order from time to time.

Until I came across a mention about rclone which especially mentions copying to various cloud services. Since I am trying to backup to a webdav server based on owncloud I had a look and this is a supported configuration in rclone. So I installed rclone to give it a try.

From the devuan distribution I got rclone version 1.35 which seemed to have problems with the specific owncloud server. So I had a look and newer .deb packages are available on the Rclone download page. This worked better.

On the first run rclone was convinced a lot of the files were modified locally since I transfered them with fusedav+rsync, so those were refreshed. But now it is all synchronized correctly the changes are minimal and the runtime isn't very long. I do make sure my uplink isn't filled completely so I limit the bandwidth. Command:
$ rclone --bwlimit 1M -v sync /camera/ owncloudservice:backuptest/camera/

Tags: , ,
2020-07-27 Different SSL tests make things complex 1 month ago
After mention of the internet.nl tests at work I tested my webserver with the test from internet.nl and got a failed for the cipher order test. I do have the 'best' configuration according to the Mozilla SSL Configuration Generator but the test at internet.nl disagrees on this point because of the ordering of the ciphers. So with a lot of checking I now have:
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
Which is not the order Mozilla suggests, but gives me an A+ on the Qualys SSL Server test and a good result on the standards test at internet.nl.

I also found out generating my own Diffie-Hellman parameters is not good for parameter sizes of 2048 bits and up. I changed to a known-good group of 4096 bits.

Tags: , ,
2020-07-16 Time to grow the diskspace for the home server 2 months ago
There were some ideas for one or more new virtual machines in the homeserver conway 2017 and the current volume group is almost full. Time to order some new diskspace because there's also some upcoming Devuan upgrades where I'd like to keep a snapshot of the 'before' situation so I can go back if everything breaks.

So I ordered 2 960 Gb SSDs. They will run in a mirror anyway. I was wondering whether to add them to the current volume group or take the 2 256 Gb SSDs out of the volume group. I decided to take those two out: there will be enough space after the upgrade and it can save some power. This does mean the new SSDs will also be set to be bootable and I will have to do a move of the volume group.

The order of changes:
  • Shut down machine
  • Install 2 new disks
  • Boot up machine
  • Partition 2 new disks with boot partition, make bootable with UEFI
  • Test boot from new disk
  • Make raid-1 device from the rest of the space on both disks
  • Add new raid-1 to volume group
  • Move volume group away from old raid-1
  • Remove old raid-1 from volume group
  • Unlink old raid-1
  • Shut down machine
  • Remove 2 old disks
  • Boot up again
Quite a number of steps, this will take some time.
Read the rest of Time to grow the diskspace for the home server

Tags: , ,
2020-07-15 I tamed systemd 2 months ago
I shared my earlier mishap with systemd on twitter: @khoos: Another run-in with systemd and got a reply to check the prerequisites: @devbeard: Is there something that needs to come after, before the thing is there for gpsctl to configure? and I added a dependency on the serial driver for the right port.

This seems to work now, it all comes up as planned. Updated file /etc/systemd/system/ublox-init.service:
[Unit]
Description=u-blox initialisation
Before=gpsd.service
Before=ntp.service
Requires=sys-devices-platform-soc-3f201000.serial-tty-ttyAMA0.device

[Service]
Type=oneshot
ExecStart=/usr/local/bin/gpsctl -q -a -B 115200 --configure_for_timing

[Install]
WantedBy=multi-user.target
And now I'm greeted by a working ntpd at 115200 bps when I log in to the Pi.

Tags: , ,
2020-07-04 Again with systemd in the new GPS Pi 2 months ago
Again and again systemd annoys me. This time in the GPS Pi configured for timing.

Since I want it to work perfectly at start I added the systemd rules as suggested by A Raspberry Pi Stratum 1 NTP Server - Phil's Occasional Blog with /etc/systemd/system/ublox-init.service containing:
[Unit]
Description=u-blox initialisation
Before=gpsd.service
Before=ntp.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/gpsctl -q -a -B 115200 --configure_for_timing

[Install]
WantedBy=multi-user.target
After reboot ntp was running, but no data at all from the gps unit, and gpsctl was unable to revive it. The solution was to disable the above unit and ntpd, powerdown and restart the whole system and try again. After that doing the changes by hand and starting ntpd worked fine.

It's probably some sort of race condition, but any time I try to make a system with systemd do something reliably I run into things like this.

Tags: , , ,
2020-07-03 Switched the GPS configuration to one optimized for timing 2 months ago
Based on A Raspberry Pi Stratum 1 NTP Server - Phil's Occasional Blog I switched the gps to a configuration optimized for timing. The default settings are optimized for location services, but I want an NTP server.

I used gpsctl to configure the ublox chip in the GPS/RTC Hat:
$ gpsctl -a -B 115200 --configure_for_timing -vv
Serial port ("/dev/ttyAMA0") open...
Serial port open and configured...
Automatically determining baud rate...
Trying 230400 baud...
Trying 115200 baud...
Trying 57600 baud...
Trying 38400 baud...
Trying 19200 baud...
Trying 9600 baud...
Synchronized on 9600 baud...
Changing baud rate to 115200...
Successfully changed baud rate to 115200...
After that I got location data at a high speed. I changed the /etc/ntp.conf parameters to use the GPS_NMEA and PPS drivers, with:
# PPS reference
server 127.127.22.0 minpoll 4 maxpoll 4
fudge 127.127.22.0 refid PPS

# GPS NMEA driver
server 127.127.20.0 mode 89 minpoll 4 maxpoll 4 iburst prefer
fudge 127.127.20.0 flag1 0 flag2 0 flag3 0 time2 0.043 refid GPS
And now I get much better numbers:
$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
oPPS(0)          .PPS.            0 l   14   16  377    0.000   -1.656   0.134
*GPS_NMEA(0)     .GPS.            2 l   13   16  377    0.000  -11.730   0.517
+ntpritchie.idef 131.211.8.244    3 u   44   64  377    4.263    1.436  62.373
+metronoom.dmz.c 192.87.106.3     2 u   44   64  377   12.141   -2.250  49.247
koos@henkp:~ $ ntpdc -c kern
pll offset:           -0.00142676 s
pll frequency:        7.468 ppm
maximum error:        4.934e-06 s
estimated error:      3.372e-06 s
status:               2001  pll nano
pll time constant:    4
precision:            1e-09 s
frequency tolerance:  500 ppm
The time offset factors still need work, but I'm getting close!

Tags: , ,
2020-07-02 Setting up the Raspberry Pi to talk to the GPS/RTC board 2 months ago
With most of the hardware in, it is time to configure the Raspberry Pi to allow the GPS/RTC board to be installed. One tip was to do this before installing the board to avoid serial conflicts.

First steps based on Building a GPS Time Server with the Raspberry Pi 3 which uses a different GPS board.

Disabling tty service on the UART:
# systemctl stop serial-getty@ttyAMA0.service
# systemctl disable serial-getty@ttyAMA0.service
And make changes to /boot/cmdline.txt to disable serial console, removing the console=serial0,115200 part.

Also needed is to disable the use of the hardware uart for bluetooth. This device does not need to do bluetooth at all, so I disable the software.
sudo systemctl disable hciuart
And add the lines to disable the bluetooth uart to /boot/config.txt:
dtoverlay=pi3-disable-bt
And with that the UART is completely free to use for GPS and PPS messages. I made all these changes and only added the GPS/RTC hat to the Pi after these changes were done.

Next steps were to add the i2c settings according to the GPS/RTC manual. For this I added
dtoverlay=i2c-rtc,rv3028
dtoverlay=pps-gpio
And indeed the i2c bus appears as the manual says:
# apt-get install python-smbus i2c-tools
[..]
# i2cdetect -y 1
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- -- 
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
40: -- -- 42 -- -- -- -- -- -- -- -- -- -- -- -- -- 
50: -- -- UU -- -- -- -- -- -- -- -- -- -- -- -- -- 
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
70: -- -- -- -- -- -- -- --                         
I removed the fake-hwclock package and tested operation. On the commandline it works, but in a reboot I still see weird times in the log.

After that I did the changes to /lib/udev/hwclock-set, now it looks like:
dev=$1

#if [ -e /run/systemd/system ] ; then
#    exit 0
#fi
if [ -e /run/udev/hwclock-set ]; then
    exit 0
fi

if [ -f /etc/default/rcS ] ; then
    . /etc/default/rcS
fi

# These defaults are user-overridable in /etc/default/hwclock
BADYEAR=no
HWCLOCKACCESS=yes
HWCLOCKPARS=
HCTOSYS_DEVICE=rtc0
if [ -f /etc/default/hwclock ] ; then
    . /etc/default/hwclock
fi

if [ yes = "$BADYEAR" ] ; then
#    /sbin/hwclock --rtc=$dev --systz --badyear
    /sbin/hwclock --rtc=$dev --hctosys --badyear
else
#    /sbin/hwclock --rtc=$dev --systz
    /sbin/hwclock --rtc=$dev --hctosys
fi

# Note 'touch' may not be available in initramfs
> /run/udev/hwclock-set
The rtc has to be configured correctly, I used information from A Raspberry Pi Stratum 1 NTP Server - Phil's Occasional Blog to configure the rv3028 chip. Get the gpsctl tool and use configure-rv3208.sh to set up the chip. Now the rtc is correct and used at boot time.

I'm seeing NMEA messages when I run gpsd or ask the serial port for data. The NMEA messages are very limited because there is no GPS antenna connected yet.

Tags: , ,
2020-07-01 A new home timeserver: GPS/RTC board 2 months ago
The Raspberry Pi GPS/RTC Expansion Board from uputronics came in today (thanks mailman!).

Next part needed: a gps antenna. But that's on backorder with another supplier.

Also needed: time to install raspbian on the Pi and start testing.

Tags: , , ,
2020-06-20 A new home timeserver: first parts, a Raspberry Pi 3 months ago
And yet another Raspberry Pi is showing up for my home network. This will become the GPS-based timeserver. I may add it to the NTP Pool when I'm satisfied enough with it.

It will probably also replace the 'shed' weather station computer in the long run, to save on power use.

I added an extra USB-based wifi adapter to the Pi. The shed has no wired network and my experience with the other computer there is that dual-band (2.4 GHz and 5 GHz) wifi support is the best way to have a chance to get working network.

I also ordered the Raspberry Pi GPS/RTC Expansion Board directly from uputronics.

Tags: , , ,
2020-06-07 CQRLOG and repeater contacts 3 months ago
Friday evening I had a contact with PI4AA via the PI2NOS repeater. So I logged the contact with those parameters in CQRLOG.

After a number of other contacts I wanted to upload my new contacts to LoTW. In an upload, CQRLOG creates an ADIF file of the contacts and lets tqsl sign the resulting file before sending the signed file to LoTW. But tqsl doesn't want to include repeater contacts (those aren't valid for LoTW, so it interprets the rules correctly) and it gives a return status 9 meaning "some QSOs suppressed" which CQRLOG displays correctly. But as a result of that return code it doesn't allow for the other contacts to be uploaded at all, leaving me with a growing number of contacts not uploaded to LoTW.

I reported the bug to the CQRLOG forums: Propagation type RPT (repeater) should not be uploaded to LoTW - Forums » CQRLOG » CQRLOG - bugs with a suggestion for a program fix. From my experience, good bugreports for CQRLOG will be acted upon fast.

In the mean time as a workaround I mark all contacts with propagation type 'repeater' as already uploaded to LoTW to skip them. MySQL statement:
$ mysql -S /home/koos/.config/cqrlog/database/sock cqrlog002
mysql> update cqrlog_main set lotw_qslsdate=curdate() where prop_mode='RPT' AND lotw_qslsdate is NULL;
Query OK, 1 row affected (0.03 sec)
Rows matched: 1  Changed: 1  Warnings: 0
and now other contacts can be uploaded fine.

Tags: , ,
2020-05-19 Testing encryption with sslscan including deprecated TLS versions 4 months ago
Encrypt all the things meme Keeping encryption settings correct needs a lot of testing to make sure things are right. With external-facing webservices this is easy with the Qualys SSL scan, but for other services than https or services not facing outward a local tester is needed. This local tester is sslscan, a commandline tool but which depends on the shared openssl libraries which have insecure protocols disabled to helps disabling those deprecated protocols.

But to test services the client needs to support those old protocols to do the test correctly.

So I built a static version of sslscan with static openssl using the instructions at https://github.com/rbsec/sslscan. And that works for the full testing range!
Read the rest of Testing encryption with sslscan including deprecated TLS versions

Tags: , ,
2020-05-14 After years of rants, Windows can still surprise me in a positive way 4 months ago
Windows 10 discovering CUPS printers Microsoft Windows does fall straight into the "does not work well with others" category for me, but today Windows 10 on my work laptop managed to give me a positive surprise.

I wanted to print something at home, and my home network is set up to publish CUPS printers via multicast DNS, both via IPv4 and IPv6 so Linux devices on the network see the printer right away. On selecting "Add a printer" in Windows 10 it just showed me the main home printer as an option and sending something to the printer worked the first time. I did notice the default paper size was still Letter although I have set up A4 everywhere, so that was the only thing left to adjust.

Now for the screenshot I removed the printer and tried to add it again and I notice the availability isn't very consistent. I do see a lot of mdns traffic when I start adding a printer!

Tags: , ,
2020-05-04 A fault in my firewall 4 months ago
I have a Synology NAS at home running DSM, so I had a look at the certificate options. According to the documentation it can get a LetsEncrypt certificate so I tried that. And it worked... which wasn't what I expected.

Some testing later found out port 80 tcp was open for every IPv6 address at home. That's now fixed and limited to those few IPv6 addresses that need to be reachable from the outside world.

Browsing the opinions about allowing outside access to the webserver on the Synology versus not allowing it showed me some differing opinions, but an article listening some malware and ransomware targetting Synology systems made me decide to close the system. Looking at the nginx configuration on the Synology gives me the idea some of the web-accessible functionality is available via port 80.

Tags: , ,
2020-05-01 Probable lightning damage to a network switch 4 months ago
Today I noticed weird problems with the network in a desktop computer. It kept losing packets on the local network, with other computers in the same switch having no problems. In the end I switched to a different networkcard in the same computer to get rid of the problem. And that solved the problem.

The most probable reason is a lightning storm that came very close yesterday evening.

Update: The original 'suspect' was an Intel E1000 network card which had the first problems so I changed to a different card in the same computer. A week or so later similar problems started happening with a different computer on the same switch. I changed the switch which made the problem go away.

On opening the suspect switch I saw a capacitor with a big bulge on the top so the internal power is probably unstable, which can be the root cause of really weird problems.

Update: The replacement switch has only 5 ports, so I ordered an 8-port switch (my home office needs enough ports). After putting the 8-port switch in place I tested with the Intel E1000 again and it worked fine.

Tags: , , ,
2020-04-29 Seeing when it's time to walk to the laserjet printer 4 months ago
I have an aged laserjet 4100 DTN printer at home and it sometimes takes a while to print something. The logs from cups will state that it has been sent to the printer but the printer will still show processing.

Solution: ask the printer for the active pagecounter. This will be updated after the page has really been output, so it will only change when the printer is done with the page.
$ snmpget -v1 -c internal laserjet 1.3.6.1.2.1.43.16.5.1.2.1.1
iso.3.6.1.2.1.43.10.2.1.4.1.1 = Counter32: 738042

Tags: , ,
2020-03-03 Adding contact e-mail addresses to letsencrypt accounts via dehydrated 6 months ago
Encrypt all the things meme I noticed the news about LetsEncrypt revoking a lot of certificates on 4 March 2020 and did some checking to find out eventually that one of my certificates is in that set. Users have been notified of this problem... when their account had a contact e-mail address. By default dehydrated doesn't set an e-mail address so none of my instances used one. I do like to get informed so I searched how to update the contact info. The data is in /etc/dehydrated/config field CONTACT_EMAIL but I needed some searching before I found the method to get the update passed on to LetsEncrypt.

Some searching later found Update registration email address - Issue #425 dehydrated which shows that a simple dehydrated --account does the magic.

Tags: , ,
2020-02-17 Tweaking the SSL cipher settings for 2020 7 months ago
Encrypt all the things meme A few days ago I changed the configuration of haproxy to stop accepting TLSv1.0 and TLSv1.1. With the upcoming deprecation of TLSv1.0 and TLSv1.1 this seemed the right SSL configuration. Today I remembered there is one directly reachable Apache server, so I had a look at the settings there and checked the results with the Qualys SSL Labs SSL Server test where I noticed some ciphers listed as 'weak'. And seeing different results between my haproxy and apache servers, which I did not expect as I used the same settings for SSLCipherSuite in Apache and ssl-default-bind-ciphers in haproxy.

The last issue was caused by the fact that Apache2.4.25 in Devuan ascii uses libssl 1.0.2 and haproxy 1.7.5 uses libssl 1.1.0. I'm not sure that's an ideal configuration but it's what I work with.

With the output of openssl ciphers -v I get a list of cipher names. But this is with libssl1.1.0 so the output lists ciphers that Apache doesn't have access to (yet). The good part is that Apache ignores ciphers that aren't available, so the net result is a running and working configuration.

The current result is for Apache 2.4.25:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
And for haproxy 1.7.5:
ssl-default-bind-options force-tlsv12 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
The fun part is that I can test the SSL negotiation with sslscan locally but sslscan is linked against openssl 1.0.2 so it misses some of the newer options. And I also test with the Qualys SSL Labs ssl test but that takes a while.

The too long; didn't read version of finding the right configuration options

And later I found I could have saved a lot of time researching options using the Mozilla SSL Configuration Generator. I don't completely agree with the suggestions there because I want to generate my own dhparams. Using 'well-known Diffie-Hellman paramaters' has security risks. But otherwise all the suggestions for ciphers are very usable and save me a lot of time.

Tags: , , ,
2020-02-10 Getting with the times and limiting the webserver to TLSv1.2 7 months ago
In 2020 the support for TLSv1.0 and TLSv1.1 will end so the famous qualys SSL test is giving capped grades. I decided to get with the times and limit my outside web ports to TLSv1.2 so now I am back at an A+ grade.

Eventually this will start to cause problems as Devuan stable doesn't have an openssl with TLSv1.3 support yet.

Tags: , , ,
2020-01-30 Backup to a remote webdav server, first success! 7 months ago
I found a completely different option for transferring files from linux to a remote webdav filesystem: fusedav. Mounting the remote 'cloud' disk with fusedav and synchronizing files with rsync is starting to work.

I decided to split my backups into two categories: first there are file collections that usually only grow, like digital camera pictures and audio project files. This takes the most diskspace and doesn't really need versioning.

The second category is configuration files, homedirs, mail and other things that change and where I may need an older version. This is where backups based on amanda work better.

I mount the filesystem with:
$ fusedav -u koos -p topsecret https://webdav.cloudprovider/remote.php/webdav/ /home/koos/webdavmount/
And the rsync command to backup to this mount:
$ rsync -av --progress --bwlimit=512K --size-only --timeout=30 /camera/2003/ webdavmount/camera/2003/
This looks scriptable so it can run on a regular basis with just a status update to me.

Update:
Reliability is still an issue. I added the --timeout=30 parameter to make rsync abort when the bytes stop flowing.
Read the rest of Backup to a remote webdav server, first success!

Tags: , ,
  Older news items for tag linux ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews